We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Ineffective regulation can sometimes be worse than no regulation at all since it breeds a false sense of security."

—Benjamin Lawsky, New York State Superintendent of Financial Services in a February 25, speech entitled "Financial Federalism: The Catalytic Role of State Regulators in a Post-Financial Crisis World."

The New York Department of Financial Services (DFS) supervises all New York State chartered banks, most U.S.-based branches and agencies of foreign banking institutions, and all insurance companies in New York. The DFS also supervises providers of financial services such as mortgage bankers and check cashing stores. Its superintendent, Benjamin Lawsky, takes a tough stance on regulations directed at the financial services sector.

Recently, in remarks made at Columbia University, Mr. Lawsky noted that, because they deal with extremely broad issues, federal regulators have not been effective in dealing with wrongdoing on Wall Street. To combat ineffectual federal regulation, he proposed "Financial Federalism," and called for state regulators to impose stricter controls on the financial industry than those imposed by the federal government.

Mr. Lawsky’s vision of Financial Federalism has three prongs:

Greater Wall Street accountability

Preventing money laundering in the financial sector

Strengthening cyber security in financial markets

Wall Street

Mr. Lawsky, a firm believer that real fraud deterrence on Wall Street will require individual liability and accountability, emphasized the need to make individuals responsible for wrongdoing face "real consequences." As such, he called for regulators to work harder to identify individual wrongdoers.

Preventing Money Laundering

Mr. Lawsky said the DFS wants greater controls on automatic transaction monitoring and filtering systems ("AML controls"), noting that every day, hundreds of millions of transactions through the bank payments system move hundreds of billions of dollars around the globe. Because banks rely on AML controls to track evidence of criminal activity, two potential problems arise. First, AML controls could be inadequate, defective, or improperly managed by the employees responsible for their operation. Worse still, these controls are susceptible to employee malfeasance or willful blindness, i.e., employees can manipulate controls to allow suspicious transactions to go through AML controls undetected. As a result, DFS is considering implementing random audits of AML controls as well as advocating for independent monitors to audit and examine controls instead of self-reporting.

Second, DFS is proposing that senior executives must personally attest to the adequacy and robustness of AML control systems. This idea is modeled after Section 302 of Sarbanes-Oxley 2002, which requires the CEO and CFO of publicly traded companies to attest to the truthfulness and adequacy of company financial statements.

Cybersecurity

Fearing that the financial sector will suffer a major cyber-attack (Mr. Lawsky refers to this as "Cyber 9/11"), DFS will revamp examinations of banks and insurance companies to incorporate new, targeted assessments of cybersecurity preparedness. Next, DFS is considering steps to address the cybersecurity of third-party vendors. Because third-party vendors have access to a financial institution’s information technology, DFS has contemplated mandating that financial institutions require robust representations and warranties from third-party vendors regarding cybersecurity.

Finally, Mr. Lawsky suggested all firms should move to "multi-factor authentication," which adds a second layer of security beyond the username and password. Upon entering a username and password, an additional password, required for access, is generated and sent to a cell phone.

Conclusion

Given Mr. Lawsky’s remarks it seems clear executives can expect to be subject to more personal liability. Further, regulated entities and third-party vendors must be prepared to spend more money, time, and personnel on AML controls and cybersecurity measures.

Compare jurisdictions: BYOD: Bring Your Own Device

In common with many in-house lawyers, I have limited access to (and a limited budget for) resources and rely on receiving know-how from friends and contacts in private practice. Lexology is great as it provides a daily email with the headlines in all the areas of law that I am interested in (which are all relevant to me, as I was able to choose which areas I was interested in at registration), with links to articles from a wide variety of sources.

I tend to scroll through the daily email when I am having my lunch, reading the headlines and descriptions of the articles, and click on any items that are of interest to me - that way, I feel like I am kept 'in the loop' with legal developments.

In addition to the daily email, I find the articles themselves very helpful - they set out the legal principle but most importantly, they 'boil it down' to the practical implications. When I am doing legal research, I also find the archive search function very helpful.

I have recommended the service to quite a few friends who have also found it very helpful."